Topics

Logical partition scenario and GFX sharing


Mikko Kovanen
 

 

  Hi,

 

  I’m pretty sure it is not possible but just in case I have missed something crucial, is it possible to use GFX sharing (for example with GVT-g) in logical partition scenario? The usage scenario we are investigating is such that it would have Android running on one user VM and Windows on another, both would need at least reasonable GFX performance, and it would be beneficial to not have a service VM to decrease security scope.

 

 

Best regards,

Mikko Kovanen

/Users/pfrasun/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1363467373

Senior Specialist, SW

Mobile: +358 40 779 7528

www.aavamobile.com

 

/Users/pfrasun/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_894813186

 

Aava Mobile Oy

Nahkatehtaankatu 2  |   90130 Oulu, Finland

 


Geoffroy Van Cutsem
 

Hi Mikko,

 

You are correct, resources cannot be shared between VMs in the logical partition scenario. It sounds from the brief description of your use-case that you do not need hard realtime or Functional Safety certification, is that correct?

 

One thing that may be possible, but I don’t know if anyone has tried it yet is to run Android in a Docker container directly in the Service VM. See this page for more info on how to run Android in a Docker container: https://01.org/projectceladon/documentation/getting-started/on-container

 

Would that help you keep the surface attack of your system reasonably contained?

 

Thanks,

Geoffroy

 

From: acrn-users@... <acrn-users@...> On Behalf Of Mikko Kovanen
Sent: Tuesday, October 6, 2020 3:19 PM
To: acrn-users@...
Subject: [acrn-users] Logical partition scenario and GFX sharing

 

 

  Hi,

 

  I’m pretty sure it is not possible but just in case I have missed something crucial, is it possible to use GFX sharing (for example with GVT-g) in logical partition scenario? The usage scenario we are investigating is such that it would have Android running on one user VM and Windows on another, both would need at least reasonable GFX performance, and it would be beneficial to not have a service VM to decrease security scope.

 

 

Best regards,

Mikko Kovanen

/Users/pfrasun/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1363467373

Senior Specialist, SW

Mobile: +358 40 779 7528

www.aavamobile.com

 

/Users/pfrasun/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_894813186

 

Aava Mobile Oy

Nahkatehtaankatu 2  |   90130 Oulu, Finland

 


Mikko Kovanen
 

Hi Geoffroy,

thanks for answering and confirming my assumption. You are correct, RT or FUSA is not required.
For security we are currently mainly focused on requirement that Android display data should be protected from other VMs, and at the same time the security related development, evaluation, maintenance, attestation and monitoring efforts should be kept reasonably low (i.e. the virtualized environment should not significantly increase the security scope). For that a logical partition scenario with GVT-g would have been pretty good match. Since that is not possible I guess the next options would be:

a. Integrating ACRN DM in Android
- Some development effort needed
- Only slight increase for security efforts since Android itself is already in security scope

b. Using as simple service VM as possible
- Significant increase for development effort since service VM would need to be self-made (e.g. from Yocto)
- Even with simple service VM the security scope would increase significantly because there likely is no way to exclude the service VM from security evaluation, maintenance, attestation and monitoring

Best regards,
Mikko


From: acrn-users@... <acrn-users@...> On Behalf Of Geoffroy Van Cutsem via lists.projectacrn.org
Sent: 8. lokakuutata 2020 17:33
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Mikko,

You are correct, resources cannot be shared between VMs in the logical partition scenario. It sounds from the brief description of your use-case that you do not need hard realtime or Functional Safety certification, is that correct?

One thing that may be possible, but I don't know if anyone has tried it yet is to run Android in a Docker container directly in the Service VM. See this page for more info on how to run Android in a Docker container: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F01.org%2Fprojectceladon%2Fdocumentation%2Fgetting-started%2Fon-container&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b970f6a%7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637377644732701761&sdata=IumOvztJpjgUapq4h0XZTvLqm%2BX1E0lv01%2B%2BbefNZfQ%3D&reserved=0

Would that help you keep the surface attack of your system reasonably contained?

Thanks,
Geoffroy

From: mailto:acrn-users@... <mailto:acrn-users@...> On Behalf Of Mikko Kovanen
Sent: Tuesday, October 6, 2020 3:19 PM
To: mailto:acrn-users@...
Subject: [acrn-users] Logical partition scenario and GFX sharing


  Hi,

  I'm pretty sure it is not possible but just in case I have missed something crucial, is it possible to use GFX sharing (for example with GVT-g) in logical partition scenario? The usage scenario we are investigating is such that it would have Android running on one user VM and Windows on another, both would need at least reasonable GFX performance, and it would be beneficial to not have a service VM to decrease security scope.


Best regards,
Mikko Kovanen

Senior Specialist, SW
Mobile: +358 40 779 7528
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.aavamobile.com%2F&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b970f6a%7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637377644732701761&sdata=HIVUJGOloR9S6ma7TRiWDuouiJbfrQl5KXHdBembMEk%3D&reserved=0
 

 
Aava Mobile Oy
Nahkatehtaankatu 2  |   90130 Oulu, Finland


Geoffroy Van Cutsem
 

Hi Mikko,

Thanks for confirming these points (both about RT and FuSa).

I have added a few comments in-line below.

Cheers,
Geoffroy

-----Original Message-----
From: acrn-users@... <acrn-users@...>
On Behalf Of Mikko Kovanen
Sent: Friday, October 9, 2020 7:32 AM
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing


Hi Geoffroy,

thanks for answering and confirming my assumption. You are correct, RT or
FUSA is not required.
For security we are currently mainly focused on requirement that Android
display data should be protected from other VMs, and at the same time the
security related development, evaluation, maintenance, attestation and
monitoring efforts should be kept reasonably low (i.e. the virtualized
environment should not significantly increase the security scope). For that a
logical partition scenario with GVT-g would have been pretty good match.
I agree, this sounded like the most promising option. Do you need much graphics performance for your Windows VM? If we can find a way to have the Windows VM display output transferred (over a network? Shared memory?) to the Android VM and let it manage it, would that help you? (Note that I'm kind of thinking aloud here so far 😊)

Since that is not possible I guess the next options would be:

a. Integrating ACRN DM in Android
- Some development effort needed
- Only slight increase for security efforts since Android itself is already in
security scope
I am not aware that this has ever been done. But China is on holiday at the moment, where many ACRN developers are located. They'll be back next week and perhaps can tell if anyone ever tried this.

b. Using as simple service VM as possible
- Significant increase for development effort since service VM would need to
be self-made (e.g. from Yocto)
Are you aware of "meta-acrn" [https://github.com/intel/meta-acrn/]? It provides a layer with recipes for building a Service VM OS for ACRN (as well as a Linux Guest OS, but you don't need this part). It's a pretty basic OS at this stage so unless you really need to trim it down, this may be a very good starting point and save you quite some effort.

- Even with simple service VM the security scope would increase significantly
because there likely is no way to exclude the service VM from security
evaluation, maintenance, attestation and monitoring

Best regards,
Mikko


From: acrn-users@... <acrn-users@...>
On Behalf Of Geoffroy Van Cutsem via lists.projectacrn.org
Sent: 8. lokakuutata 2020 17:33
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Mikko,

You are correct, resources cannot be shared between VMs in the logical
partition scenario. It sounds from the brief description of your use-case that
you do not need hard realtime or Functional Safety certification, is that
correct?

One thing that may be possible, but I don't know if anyone has tried it yet is
to run Android in a Docker container directly in the Service VM. See this page
for more info on how to run Android in a Docker container:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F01.or
g%2Fprojectceladon%2Fdocumentation%2Fgetting-started%2Fon-
container&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b970f6a%7Cf8
9be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637377644732701761&sdat
a=IumOvztJpjgUapq4h0XZTvLqm%2BX1E0lv01%2B%2BbefNZfQ%3D&reserve
d=0

Would that help you keep the surface attack of your system reasonably
contained?

Thanks,
Geoffroy

From: mailto:acrn-users@... <mailto:acrn-
users@...> On Behalf Of Mikko Kovanen
Sent: Tuesday, October 6, 2020 3:19 PM
To: mailto:acrn-users@...
Subject: [acrn-users] Logical partition scenario and GFX sharing


  Hi,

  I'm pretty sure it is not possible but just in case I have missed something
crucial, is it possible to use GFX sharing (for example with GVT-g) in logical
partition scenario? The usage scenario we are investigating is such that it
would have Android running on one user VM and Windows on another, both
would need at least reasonable GFX performance, and it would be beneficial
to not have a service VM to decrease security scope.


Best regards,
Mikko Kovanen

Senior Specialist, SW
Mobile: +358 40 779 7528
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
aavamobile.com%2F&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b9
70f6a%7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C6373776447327
01761&sdata=HIVUJGOloR9S6ma7TRiWDuouiJbfrQl5KXHdBembMEk%3D&re
served=0



Aava Mobile Oy
Nahkatehtaankatu 2  |   90130 Oulu, Finland






Mikko Kovanen
 

Hi Geoffrey,

thanks for getting back. I have added my comments in-line.

Best regards,
Mikko

-----Original Message-----
From: acrn-users@... <acrn-users@...>
On Behalf Of Geoffroy Van Cutsem via lists.projectacrn.org
Sent: 10. lokakuutata 2020 2:38
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Mikko,

Thanks for confirming these points (both about RT and FuSa).

I have added a few comments in-line below.

Cheers,
Geoffroy

-----Original Message-----
From: acrn-users@...
<acrn-users@...>
On Behalf Of Mikko Kovanen
Sent: Friday, October 9, 2020 7:32 AM
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing


Hi Geoffroy,

thanks for answering and confirming my assumption. You are correct,
RT or FUSA is not required.
For security we are currently mainly focused on requirement that
Android display data should be protected from other VMs, and at the
same time the security related development, evaluation, maintenance,
attestation and monitoring efforts should be kept reasonably low (i.e.
the virtualized environment should not significantly increase the
security scope). For that a logical partition scenario with GVT-g would have
been pretty good match.

I agree, this sounded like the most promising option. Do you need much
graphics performance for your Windows VM? If we can find a way to have
the Windows VM display output transferred (over a network? Shared
memory?) to the Android VM and let it manage it, would that help you?
(Note that I'm kind of thinking aloud here so far 😊)
It is indeed possible that for most use cases the graphics performance is not critical, one concern however is that Windows 10 itself might not work smoothly enough. To achieve this kind of setup the UEFI GOP framebuffer might be sufficient to allow Windows to run (I did a quick test by disabling the GFX device from device manager in our Apollolake based Windows 10 tablet, which as far as I understand should revert Windows 10 into using framebuffer provided by GOP driver, and it was still usable). Some data also suggests that Windows could run entirely headless with RDP. Virtualization with decreased cores and memory will of course degrade the performance further for this setup, so more investigation regarding the performance is needed. Unfortunately I haven't yet been able to get GVT-g working with ACRN in our devices to get through the Windows installation process, so first I need to perform the Windows installation with some other method (GVT-d, different host machine, QEMU-KVM...), and then check the performance with the pre-installed image for RDP without any GFX adapter and for VNC with UEFI GOP GFX.

Since that is not possible I guess the next options would be:

a. Integrating ACRN DM in Android
- Some development effort needed
- Only slight increase for security efforts since Android itself is
already in security scope
I am not aware that this has ever been done. But China is on holiday at the
moment, where many ACRN developers are located. They'll be back next
week and perhaps can tell if anyone ever tried this.
Most probable candidate for Android in our case would be Celadon and there the kernel appears to have at least some ACRN stuff integrated, though so far I have only taken a quick glimpse at i915 driver sources (based on my limited experience the i915 driver can be quite difficult when it comes to cherry-picking changes between different kernel versions).


b. Using as simple service VM as possible
- Significant increase for development effort since service VM would
need to be self-made (e.g. from Yocto)
Are you aware of "meta-acrn"
[https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
ub.com%2Fintel%2Fmeta-
acrn%2F&amp;data=02%7C01%7C%7Ccd63baec916c4f985e7808d86cac5b98%
7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637378834822198569&
amp;sdata=GXnjTwvVnbG5sNyrX5oRPm0Mxi3XczUVAnKedH8QiPo%3D&am
p;reserved=0]? It provides a layer with recipes for building a Service VM OS
for ACRN (as well as a Linux Guest OS, but you don't need this part). It's a
pretty basic OS at this stage so unless you really need to trim it down, this
may be a very good starting point and save you quite some effort.

- Even with simple service VM the security scope would increase
significantly because there likely is no way to exclude the service VM
from security evaluation, maintenance, attestation and monitoring

Best regards,
Mikko


From: acrn-users@...
<acrn-users@...>
On Behalf Of Geoffroy Van Cutsem via lists.projectacrn.org
Sent: 8. lokakuutata 2020 17:33
To: acrn-users@...
Subject: Re: [acrn-users] Logical partition scenario and GFX sharing

Hi Mikko,

You are correct, resources cannot be shared between VMs in the logical
partition scenario. It sounds from the brief description of your
use-case that you do not need hard realtime or Functional Safety
certification, is that correct?

One thing that may be possible, but I don't know if anyone has tried
it yet is to run Android in a Docker container directly in the Service
VM. See this page for more info on how to run Android in a Docker
container:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F01.o
r
g%2Fprojectceladon%2Fdocumentation%2Fgetting-started%2Fon-
container&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b970f6a%7Cf8
9be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C637377644732701761&sdat
a=IumOvztJpjgUapq4h0XZTvLqm%2BX1E0lv01%2B%2BbefNZfQ%3D&reserve
d=0

Would that help you keep the surface attack of your system reasonably
contained?

Thanks,
Geoffroy

From: mailto:acrn-users@... <mailto:acrn-
users@...> On Behalf Of Mikko Kovanen
Sent: Tuesday, October 6, 2020 3:19 PM
To: mailto:acrn-users@...
Subject: [acrn-users] Logical partition scenario and GFX sharing


  Hi,

  I'm pretty sure it is not possible but just in case I have missed
something crucial, is it possible to use GFX sharing (for example with
GVT-g) in logical partition scenario? The usage scenario we are
investigating is such that it would have Android running on one user
VM and Windows on another, both would need at least reasonable GFX
performance, and it would be beneficial to not have a service VM to
decrease security scope.


Best regards,
Mikko Kovanen

Senior Specialist, SW
Mobile: +358 40 779 7528
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
aavamobile.com%2F&data=02%7C01%7C%7Cf3cb452693e04d400e6f08d86b9
70f6a%7Cf89be375dd3f4314b40fdbdd01f05029%7C0%7C0%7C6373776447327
01761&sdata=HIVUJGOloR9S6ma7TRiWDuouiJbfrQl5KXHdBembMEk%3D&re
served=0



Aava Mobile Oy
Nahkatehtaankatu 2  |   90130 Oulu, Finland